Firewall Exploration

Question 1

Overview of Firewall

Answer 1

• In the late 80s, the need to protect computers connected to the Internet from malicious users, start to emerge.
• The firewall inspects packets, and decides whether to drop or forward a packet based on firewall rules.
• A firewall is now to be found on each machine (desktop firewall)
• A firewall can work on Ingress and/or Egress packets

Question 2

Types of firewalls

Answer 2

Packet Filter
Stateless Firewall
Stateful Firewall
Application/Proxy Firewall

Question 3

what is Packet Filter?

Answer 3

make decisions based on each individual packet

for each IP packet received from a local interface check the packet against the set of access rules forward, discard and/or log the packet according to the result of the rule-based verification

• Access rules are solely based on information found in packet headers, the interface, the direction of the packet

Question 4

what is stateless?

Answer 4

make decisions based on the state information formed by multiple packets that are related

• will let pass packets that are not part of an established session
• can not detect SYN floods
• does not know when a given flow must be allowed (e.g., ftp data channel)

Question 5

what is stateful firewall?

Answer 5

The firewall must maintain the state of every TCP connection and blocks packets not part of any valid ones.
- Not as easy as it looks, costly
- Attackers can launch algorithmic attack against the firewall (DoS)

For UDP and ICMP, a “pseudo” connection has to be recognized to let, e.g., replies go through the firewall but no other unwanted packet.

Question 6

what is application/proxy firewall?

Answer 6

Application/Proxy Firewall
* E.g., network Address Translation (NAT): Enables to connect M machines while only having N IP addresses (M>N) connected to the Internet

• E.g., Web Proxy

Question 7

what is Linux’s built-in firewall?

Answer 7

enables you to specify what to do with packets in a
router/firewall/end host

Question 8

T/F Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Answer 8

T

Question 9

T/F Each chain is a list of rules which can match a set of packets. Each rule specifies what
to do with a packet that matches.

Answer 9

T

Question 10

T/F This is called a target, which may be a jump to a user-defined chain in the same table.

Answer 10

T

Question 11

Iptables

Answer 11

• Filter: This is the default table
• It contains the built-in chains
  -INPUT (for packets destined to local sockets)
  
  • FORWARD (for packets being routed through the box)
  • OUTPUT (for locally-generated packets).
• Nat: This table is consulted when a packet that creates a new connection is encountered.
  
  • It consists of four built-ins chains :
    - INPUT (for packets destined to local sockets)
    - OUTPUT (for locally-generated packets).
    - PREROUTING (for altering packets as soon as they come in),
    - POSTROUTING (for altering packets as they are about to go out).
• Mangle: The mangle table is used to alter the IP headers of the packet, e.g., adjust the TTL (Time to Live) value of a packet. It consists of five built-ins chains

Question 12

Note: Using iptables: General Format

Answer 12

iptables [-t filter] -A INPUT <rule> -j <target></target></rule>

Question 13

Example: List/Delete All Rules

Answer 13

sudo iptables -t nat -L —> listing nat rules
$ sudo iptables -t nat -F —> i don’t know

Question 14

Example: List/Delete Rules with Numbers

Answer 14

$ sudo iptables -L –line-numbers
$ sudo iptables -D INPUT 2

Question 15

Iptables: Specifying Rule (1)

Answer 15

• Layer 2-i interface (incoming)-o interface (outgoing)
• Layer 3-s source IP (/mask)-d destination IP (/mask)

Question 16

Iptables: Specifying Rule (2): TCP/UDP/ICMP with example?

Answer 16

-p protocol [protocol specific rule]

ex: -p tcp –dport 22
ex: -p icmp –icmp-type echo-request

iptables -p tcp -h –> tells me what tcp do

Question 17

Iptables: Target

Answer 17

• Targets: ACCEPT, DROP, RETURN, LOG
• Target Extension (e.g., SNAT, TTL)
• Examples:
• Block IP
  $ sudo iptables -A INPUT -s 192.168.30.6 -d 192.168.1.0/24 -j DROP
• Open TCP ports 22 and 80
  $ sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
  $ sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT
• Allow all outgoing TCP traffic
  $ sudo iptables -A OUTPUT -p tcp -j ACCEPT

Question 18

Modify Source IP: Source NAT (SNAT)

Answer 18

$ sudo iptables -t nat -A POSTROUTING -o enp0s3 \
-j snat –to-source 10.0.2.7

• IP Masquerading and NAT

Question 19

IP Masquerading and NAT

Answer 19

$ sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE

see on chatgpt what is do

Question 20

Destination NAT: Port Forwarding

Answer 20

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 \ -j DNAT –to-destination 192.168.60.5:23

Answer 21

DNAT: Load Balancing (nth or round robin mode)

• Load Balancing: load balance three servers running in the internal network: round robin mode
• For every three packets, pick the packet 0 (i.e., the first one), change its destination IP address and
  port number. The modified packets will continue on its journey. Packets that do not match the rule
  will continue on their journeys

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 -m statistic –mode nth –every 3 –packet 0 -j DNAT –to-destination 192.168.60.5:8000
\
* Same logic

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 -m statistic –mode nth –every 2 –packet 0
-j DNAT –to-destination 192.168.60.6:8000

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 \ -j DNAT –to-destination 192.168.60.7:8000

Question 22

DNAT: Load Balancing (random mode)

Answer 22

• Load Balancing: load balance three servers running in the internal network: random mode. Select a matching packet with the probability P.

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 -m statistic –mode random –probability P1
-j DNAT –to-destination 192.168.60.5:8000

\

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 -m statistic –mode random –probability P2
-j DNAT –to-destination 192.168.60.6:8000
\

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 8000 -m statistic –mode random –probability P3
-j DNAT –to-destination 192.168.60.7:8000

Question 23

Use iptables Match/Target Extensions

Answer 23

Match Extension Example: the Limit Module: limit the number of packets that can
pass through the firewall

$ sudo iptables -A INPUT -p icmp \
-m limit –limit 10/min –limit-burst 5 \
-j ACCEPT

$ sudo iptables -A INPUT -p icmp -j DROP
$ sudo iptables -m limit -h

• Target Extension Examples
  
  • The SNAT and DNAT Target Extension (nat table)
  • Increase the TTL field of all packets by 5 (mangle table)
    $ sudo iptables -t mangle -A OUTPUT -j TTL –ttl-inc 5

Question 24

Stateful Firewall & Connection Tracking

Answer 24

Connection States: NEW, ESTABLISHED, RELATED, INVALID

$ sudo conntrack -L

Question 25

Using Connection Tracking with iptables

Answer 25

$ sudo iptables -A INPUT –p tcp \ -m conntrack--ctstate NEW,RELATED,ESTABLISHED \ -j ACCEPT

Question 26

Application Firewall/Proxy e.g., Web Proxy

Answer 26

* Controls input/output of an application or service

Question 27

Bypassing firewall or Firewall Evasion

Answer 27

* Use vulnerabilities (not covered) * Use tunneling (next session)